extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't pass '-j' in target arg to expand_rule()

Browse Source 
- use the target to locate chain for reference tracking

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-08-26 10:37:07 -07:00
parent 15fbbdaac7
commit 12f48e1b97
7 changed files with 27 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -86,7 +86,7 @@ sub process_accounting_rule( ) {
$jumpchainref = ensure_accounting_chain( $jumpchain, 0 ); $jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
check_chain( $jumpchainref ); check_chain( $jumpchainref );
$disposition = $jumpchain; $disposition = $jumpchain;
"-j $jumpchain"; $jumpchain;
} }
my $target = ''; my $target = '';
@ -101,7 +101,7 @@ sub process_accounting_rule( ) {
unless ( $action eq 'COUNT' ) { unless ( $action eq 'COUNT' ) {
if ( $action eq 'DONE' ) { if ( $action eq 'DONE' ) {
$target = '-j RETURN'; $target = 'RETURN';
} else { } else {
( $action, my $cmd ) = split /:/, $action; ( $action, my $cmd ) = split /:/, $action;
if ( $cmd ) { if ( $cmd ) {

4
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -58,7 +58,7 @@ our @EXPORT = qw( merge_levels
$macro_commands $macro_commands
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_12'; our $VERSION = '4.4_13';
# #
# Used Actions. Each action that is actually used has an entry with value 1. # Used Actions. Each action that is actually used has an entry with value 1.
@ -636,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
'', #Original Dest '', #Original Dest
$action ? "-j $action" : '', $action ,
$level , $level ,
$action , $action ,
'' ); '' );

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3161,7 +3161,7 @@ sub expand_rule( $$$$$$$$$$;$ )
$source, # SOURCE $source, # SOURCE
$dest, # DEST $dest, # DEST
$origdest, # ORIGINAL DEST $origdest, # ORIGINAL DEST
$target, # Target ('-j' part of the rule) $target, # Target ('-j' part of the rule - may be empty)
$loglevel , # Log level (and tag) $loglevel , # Log level (and tag)
$disposition, # Primtive part of the target (RETURN, ACCEPT, ...) $disposition, # Primtive part of the target (RETURN, ACCEPT, ...)
$exceptionrule,# Caller's matches used in exclusion case $exceptionrule,# Caller's matches used in exclusion case
@ -3170,6 +3170,7 @@ sub expand_rule( $$$$$$$$$$;$ )
my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ); my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl );
my $chain = $chainref->{name}; my $chain = $chainref->{name};
my $jump = $target ? '-j ' . $target : '';
our @ends = (); our @ends = ();
# #
@ -3533,7 +3534,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Generate Final Rule # Generate Final Rule
# #
add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
} else { } else {
# #
# No exclusions # No exclusions
@ -3552,13 +3553,13 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
if ( $disposition ne 'LOG' ) { if ( $disposition ne 'LOG' ) {
unless ( $logname || $target =~ /-j RETURN\b/ ) { unless ( $logname || $target =~ /^RETURN\b/ ) {
# #
# Find/Create a chain that both logs and applies the target action # Find/Create a chain that both logs and applies the target action
# and jump to the log chain if all of the rule's conditions are met # and jump to the log chain if all of the rule's conditions are met
# #
add_jump( $chainref, add_jump( $chainref,
logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ), logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $jump ),
$builtin_target{$disposition}, $builtin_target{$disposition},
$matches, $matches,
1 ); 1 );
@ -3573,7 +3574,7 @@ sub expand_rule( $$$$$$$$$$;$ )
'add', 'add',
$matches ); $matches );
add_rule( $fromref = $chainref, $matches . $target, 1 ); add_rule( $fromref = $chainref, $matches . $jump, 1 );
} }
} else { } else {
# #
@ -3594,7 +3595,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# No logging -- add the target rule with matches to the rule chain # No logging -- add the target rule with matches to the rule chain
# #
add_rule( $fromref = $chainref, $matches . $target , 1 ); add_rule( $fromref = $chainref, $matches . $jump , 1 );
} }
} }
} }
@ -3603,8 +3604,8 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Mark Target as referenced, if it's a chain # Mark Target as referenced, if it's a chain
# #
if ( $fromref && $disposition ) { if ( $fromref && $target ) {
my $targetref = $chain_table{$chainref->{table}}{$disposition}; my $targetref = $chain_table{$chainref->{table}}{$target};
if ( $targetref ) { if ( $targetref ) {
$targetref->{referenced} = 1; $targetref->{referenced} = 1;
add_reference $fromref, $targetref; add_reference $fromref, $targetref;

8
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -125,7 +125,7 @@ sub process_one_masq( )
for my $fullinterface (split_list $interfacelist, 'interface' ) { for my $fullinterface (split_list $interfacelist, 'interface' ) {
my $rule = ''; my $rule = '';
my $target = '-j MASQUERADE '; my $target = 'MASQUERADE ';
# #
# Isolate and verify the interface part # Isolate and verify the interface part
# #
@ -171,7 +171,7 @@ sub process_one_masq( )
fatal_error "The SAME target is no longer supported"; fatal_error "The SAME target is no longer supported";
} elsif ( $addresses eq 'detect' ) { } elsif ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface; my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable"; $target = "SNAT --to-source $variable";
if ( interface_is_optional $interface ) { if ( interface_is_optional $interface ) {
add_commands( $chainref, add_commands( $chainref,
@ -181,13 +181,13 @@ sub process_one_masq( )
$detectaddress = 1; $detectaddress = 1;
} }
} elsif ( $addresses eq 'NONAT' ) { } elsif ( $addresses eq 'NONAT' ) {
$target = '-j RETURN'; $target = 'RETURN';
$add_snat_aliases = 0; $add_snat_aliases = 0;
} else { } else {
my $addrlist = ''; my $addrlist = '';
for my $addr ( split_list $addresses , 'address' ) { for my $addr ( split_list $addresses , 'address' ) {
if ( $addr =~ /^.*\..*\..*\./ ) { if ( $addr =~ /^.*\..*\..*\./ ) {
$target = '-j SNAT '; $target = 'SNAT ';
my ($ipaddr, $rest) = split ':', $addr; my ($ipaddr, $rest) = split ':', $addr;
if ( $ipaddr =~ /^(.+)-(.+)$/ ) { if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 ); validate_range( $1, $2 );

2
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
$source , $source ,
$dest , $dest ,
'' , '' ,
'-j NOTRACK' , 'NOTRACK' ,
'' , '' ,
'NOTRACK' , 'NOTRACK' ,
'' ; '' ;

14
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -148,7 +148,7 @@ sub process_tos() {
$src , $src ,
$dst , $dst ,
'' , '' ,
"-j TOS --set-tos $tos" , "TOS --set-tos $tos" ,
'' , '' ,
'TOS' , 'TOS' ,
''; '';
@ -277,7 +277,7 @@ sub setup_blacklist() {
$direction eq 'from' ? $networks : '', $direction eq 'from' ? $networks : '',
$direction eq 'to' ? $networks : '', $direction eq 'to' ? $networks : '',
'' , '' ,
"-j $target" , $target ,
'' , '' ,
$target , $target ,
'' ); '' );
@ -1299,7 +1299,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $actiontype & REDIRECT ) { if ( $actiontype & REDIRECT ) {
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server; fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
$target = '-j REDIRECT '; $target = 'REDIRECT ';
$target .= "--to-port $serverport " if $serverport; $target .= "--to-port $serverport " if $serverport;
if ( $origdest eq '' || $origdest eq '-' ) { if ( $origdest eq '' || $origdest eq '-' ) {
$origdest = ALLIP; $origdest = ALLIP;
@ -1323,7 +1323,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} }
if ( $action eq 'DNAT' ) { if ( $action eq 'DNAT' ) {
$target = '-j DNAT '; $target = 'DNAT ';
if ( $server ) { if ( $server ) {
$serverport = ":$serverport" if $serverport; $serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) { for my $serv ( split /,/, $server ) {
@ -1429,7 +1429,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
'', # Source '', # Source
'', # Dest '', # Dest
'', # Original dest '', # Original dest
'-j ACCEPT', 'ACCEPT',
$loglevel, $loglevel,
$log_action, $log_action,
'', '',
@ -1447,7 +1447,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
$origdest , $origdest ,
"-j $tgt", $tgt,
$loglevel , $loglevel ,
$log_action , $log_action ,
'' , '' ,
@ -1493,7 +1493,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$source , $source ,
$dest , $dest ,
$origdest , $origdest ,
$action ? "-j $action " : '' , $action ,
$loglevel , $loglevel ,
$log_action , $log_action ,
'' ); '' );

4
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -391,9 +391,9 @@ sub process_tc_rule( ) {
$source , $source ,
$dest , $dest ,
'' , '' ,
"-j $target $mark" , "$target $mark" ,
'' ,
'' , '' ,
$target ,
'' ) ) '' ) )
&& $device ) { && $device ) {
# #